CVE-2025-12409
HIGHLooker Studio < 2025-07-07 - SQL Injection via Malicious Report with Native Functions
Title source: llmDescription
A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's permissions in BigQuery. This vulnerability was patched on 07 July 2025, and no customer action is needed.
References (2)
Core 2
Core References
Various Sources
https://cloud.google.com/support/bulletins#gcp-2025-053
Third Party Advisory
https://www.tenable.com/security/research/tra-2025-27
Scores
CVSS v4
7.3
EPSS
0.0022
EPSS Percentile
12.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
Google Cloud/Looker Studio
< 2025-07-07
Published
Nov 10, 2025
Tracked Since
Feb 18, 2026